10140A-PTB Configuring Managing Maintaining Windows Server08 Servers-TrainerWorkbook Vol1
Configuring Multiple ACE Servers
-
Upload
sergio-herzel -
Category
Documents
-
view
225 -
download
0
Transcript of Configuring Multiple ACE Servers
-
8/10/2019 Configuring Multiple ACE Servers
1/5
Technical Note
Copyright 2007 VMware, Inc. All rights reserved. 1
Configuring MultipleACE Management ServersVMware ACE 2.0
ThistechnicalnotedescribeshowtoconfiguremultipleVMwareACEManagementServerstoworktogether.
VMwarerecommendsthisconfigurationforscalingACEManagementServerserviceforthousandsof
clients.See
Figure 1.
Figure 1. Two ACE Management Servers Configured to Work Together
AsingleACEManagementServercanhandleapresetnumberofclients,butyoucanaddmoreserverstoyour
ACEManagementServerinfrastructurebyusingloadbalancing.Whenyouaddmoreserverstothe
load
balancing
group,
the
number
of
clients
that
you
can
serve
will
scale
in
a
linear
fashion.
For
example,
if
youcanserve2,000clientswithoneserver,usingtwoloadbalancedserverswillallowyoutoserve4,000
clients.
Thistechnicalnoteassumesthatyouarefamiliarwiththeinstallationandconfigurationofastandalone
ACE Management Serverwithexternaldatabasesupport.Italsodescribeshowtosetuptwoormoreservers
andtheextrastepsthatarenecessarytousetheloadbalancefeature.
Thistechnicalnotecontainsthefollowingsections:
Requirementsonpage 2
InstallationofServicesonpage 2
LoadBalancingonpage 4
ACEManagement
Server 1
ACEManagement
Server 2
Active Directorydomain controller
databaseserver
loadbalancer(optional)
AMS Client
AMS Client
AMS Client
LDAPKerberos
LDAPKerberos
ODBC
ODBC
HTTPS
HTTPS
HTTPS
HTTPS
HTTPS
-
8/10/2019 Configuring Multiple ACE Servers
2/5
Copyright 2007 VMware, Inc. All rights reserved. 2
Configuring Multiple ACE Management Servers
Verificationonpage 4
FinalNotesonpage 5
Requirements
Tousetheinformationinthistechnicalnote,youwillneedthefollowing:
Twoormoremachines(orVirtualMachines)tohosttheACEManagementServerprocesses
AnexternaldatabasetohosttheACEManagementServerdata
Aloadbalancingsolutiontomanagetraffic
Installation of Services
InstalltheACEManagementServerpackageontwoormoremachines(orvirtualmachines).Configureeach
oneseparatelytoaccessthesameexternaldatabase.
YoumustuseanexternaldatabasetoconfiguremultipleACEManagementServers.BothACEManagement
Serverinstallationsmustbeabletoidentifythesamedatastoresoeitherinstallationcanfieldqueriesfor
clientsandscalethenumberofclientsthatcanbeserved.
Youcan
verify
that
both
ACE
Management
Servers
are
working
properly
by
starting
Workstation
ACE
Edition
andconnectingtoeachACEManagementServerdirectly(byIPorhostname).Youshouldseethesamedata
intheInstanceViewwindow.IfyoucreateatestACEandpreviewit,youseethepreviewinstanceonboth
servers.
Using the Same SSL Certificate on All Servers
ThefollowingproceduredescribeshowtocopytheSSLcertificateandkeyfromoneACEManagementServer
toanother.
To copy the SSL certificate and key from one ACE Management Server to another
1 LogintoACEManagementServer1.
2 Locateboth
the
SSL
certificate
and
key
directory
files.
OnWindowsmachines,thefilesarelocatedatC:\Program Files\VMware\VMware ACE
Management Server\ssl.
OnLinuxmachines,thefilesarelocatedat\var\lib\vmware\acesc\ssl.
Thecertificatefileisserver.crt.Thekeyfileisserver.key.
3 Usescp(securecopy)tocopythefollowingfilesifyouareusingtheVirtualApplianceoftheACE
ManagementServerbyperformingthefollowingsteps:
a Enterscpuser@: user@:.
Youcanalsoenablesharedfolders(ifyouareusingVMwareWorkstationtoruntheVirtual
Appliance),and
copy
the
files
out
of
the
virtual
machine
through
the
shared
folders
feature.
b Openabrowser,andloadtheconfigurationpageforACEManagementServer2.
c ClicktheCustomSSLCertificates tab.
d SpecifythekeyfileintheServerPrivateKeyfield.
e SpecifythecertificatefileintheServerPublicCertificatefield.
f ClickUploadcertificates.
g ClickApply.
4 RestartACEManagementServer2.
-
8/10/2019 Configuring Multiple ACE Servers
3/5
Copyright 2007 VMware, Inc. All rights reserved. 3
Configuring Multiple ACE Management Servers
Creating New SSL Certificates and Keys for Each Server
IfyoudonotwanttousethesameSSLcertificateandkeyforeachACEManagementServer,youmustcreate
newSSLcertificatesandkeysforeachserver.Thefollowingstepsguideyouthroughtheprocessofcreating
newSSLcertificatesandkeysandinstallingthemonyourACEManagementServer.
To create new SSL certificates and keys
1 CreateasmanySSLcertificateandkeypairsasyouneed(oneforeachserverinyourserverfarm).
Theprocedurefordoingthisvariesdependingonthetoolsyouuse.Seethedocumentationforyour
platformtodeterminehowtocreatethesecertificatesandkeys.Eachcertificatemusthaveaunique
commonnameandauniqueserialnumber.
2 Ifyourcertificatesrequireacertificatechaintobeverified,createacertificatechainfile.
Thecertificatechainfileisatextfilethatcontainseverycertificate(inPEMformat)neededinorderto
verifytheleafcertificate(includingtherootcertificateofthechain).
a Downloadtheverificationchainfromyourcertificateauthority.
b EachcertificatemustbeinPEMformatpriortocreatingthecertificatechainfile.ToconverttoPEM
format,usetheopenSSLtoolsavailableonline.
c Createthe
certificate
chain
file
by
concatenating
each
PEM
encoded
certificate
into
one
file.
Younowhaveacertificatechainfileforeverynewcertificatethatyouhavecreated.Forexample,ifyou
areusingtwoACEManagementServersyouwouldhavetwocertificatechainfiles.
3 Joinallofthesecertificatechainfilesintoonelargefile. Ifyoucan,eliminatetheduplicateentries.
4 ConverttheserversSSLcertificatestoPEMformat.
5 AddtheserversSSLcertificatesinPEMformattothecertificatechainfile.
YouhavethreefilesthatneedtobeuploadedtoeveryACEManagementServerinyourfarm:
SSLcertificatefile
SSLkeyfile
Certificatechainfile
CompletethisprocedureforeveryACEManagementServerinyourfarmtouploadfilestoeachACE
ManagementServer.
To upload the files to the servers in your server farm
1 OpenabrowserandloadtheconfigurationpageforyourACEManagementServer.
2 ClicktheCustomSSLCertficatestab.
3 SpecifythekeyfileintheServerPrivateKeyfield.
4 SpecifythecertificatefileintheServerPublicCertificatefield.
5 Specifythe
certificate
chain
file
in
the
Server
Public
Certificate
Authentication
Chain
field.
6 ClickUploadcertificates.
7 ClickApply.
8 RestarttheACEManagementServer.
-
8/10/2019 Configuring Multiple ACE Servers
4/5
Copyright 2007 VMware, Inc. All rights reserved. 4
Configuring Multiple ACE Management Servers
Figure 2. Creating the Certificate Chain File
i
Load Balancing
ACEManagementServerusesHTTPStocommunicatewithitsclients.Anyloadbalancingsolutionthat
supportsHTTPSshouldworkwithACEManagementServer.
Installyourloadbalancerandconfigureport443(HTTPoverSSL)forloadbalancing.Donotconfigureport
8080or
8000
for
load
balancing.
These
two
ports
are
used
for
configuration.
Port
8080
is
the
virtual
appliance
configurationportand8000istheACEManagementServerconfigurationport.
Verification
RestartyourWorkstationACEEditionclientbeforeverification.ThisisrequiredsothatWorkstationACE
EditionredownloadstheSSLCertificatewhenaconnectiontotheACEManagementServerisestablished.
YoushouldbeabletoconnecttoyourACEManagementServerusingtheaddressoftheloadbalancer.Create
atestACEinstanceandpreviewit.ThepreviewinstanceshouldrunandregardlessofwhichACE
ManagementServersitsrequests,youcantestthisinthefollowingway:
To test your ACE instance
1 CreateatestACEtemplate.
2 Openthepolicyeditor.
3 SelectPolicyUpdateFrequency.
4 SelectDisableOfflineUsage.
5 ClickOK.
6 RemovethefirstACEManagementServerfromyourloadbalancingconfiguration(alltrafficwillgoto
thesecondACEManagementServer).
[Root SSL Certificate in PEM format]
[Intermediary SSL Certificate in PEM format]
[AMS #1 SSL Certificate in PEM format]
[AMS #1 SSL Certificate in PEM format]
convert to PEMthen append to file
convert to PEMthen append to file
convert to PEMthen append to file
convert to PEMthen append to file
certificateverification
chain
Server SSLCertificates
Certificate Chain FileRoot SSL Certificate
Intermediary SSL Certificate
ACE Management Server #1SSL Certificate
ACE Management Server #2SSL Certificate
-
8/10/2019 Configuring Multiple ACE Servers
5/5
5
Configuring Multiple ACE Management Servers
VMware, Inc. 3401 Hillview Ave., Palo Alto, CA 94304 www.vmware.com
2007 VMware, Inc. All rights reserved. Protected by one or more of U.S. Patent Nos. 6,397,242, 6,496,847, 6,704,925, 6,711,672, 6,725,289, 6,735,601, 6,785,886, 6,789,156,6,795,966, 6,880,022, 6,944,699, 6,961,806, 6,961,941, 7,069,413, 7,082,598, 7,089,377, 7,111,086, 7,111,145, 7,117,481, 7,149, 843, 7,155,558, 7,222,221, 7,260,815, 7,260,820,and 7,269,683; patents pending. VMware, the VMware boxes logo and design, Virtual SMP and VMotion are registered trademarks or trademarks of VMware, Inc. in the UnitedStates and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.Revision 20070919
7 PreviewthetestACE.
ThiswillcreateaninstanceontheACEManagementServer.
8 ClosetheACEPlayer.
9 RemovethesecondACEManagementServerfromtheloadbalancingconfigurationandaddthefirst
ACEManagementServerbackintotheconfiguration.
AlltrafficwillgotothefirstACEManagementServernow.
10 PreviewthesameACEtemplateagain,whenpromptedwhethertoreinstantiateorreusetheinstance,
selectUseExistingInstance.
Theinstanceshouldstartsuccessfully.Iftheinstancestartssuccessfully,bothserversareusingthesame
SSLcertificate.
Final Notes
ItisalsopossibletoconfiguremultipleACEManagementServersusingdifferentcertificates,(selfsignedor
withaverificationchain).
Thestepsforthisprocedurearesimilar.Youmustcreatenewcertificatesandkeys(ordownloadthemfrom
yourCertificateAuthority).Uploadthemtoeachserver.
Anextrastepisrequiredwhenusingseparatecertificates.Createacertificatechainfile.Thecertificatechain
fileisafilethatcontainsmultiplecertificatesconcatenatedtogether(inPEMformat).Ifbothofyourcertificates
areselfsigned,yourcertificatechainfileshouldbeafilethatcontainsbothcertificatesconcatenated.Ifyou
receivedyourcertificatesfromthesamecertificateauthority,thechainfilemustcontainonlytheverification
chainforthesecertificates(whichshouldbethesame).Ifthecertificatescomefromdifferentcertificate
authorities,thechainfilemustcontainbothcertificateverificationchains.
Uploadthecertificatechainfileatthesametimethatyouuploadthecertificateandkeyfiletotheserver.